f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46

General

Target

f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Size

1.2MB
MD5

66045ebf6e3b8a7898b38e4dc0a9345d
SHA1

b4981cea040a229620ef1447cfc75acf9d90a7ce
SHA256

f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46
SHA512

08c867cea58195b0d015163f7667f5e794dd2ff74a17469a49a7a9b36070cc9cd646ae6b05e28598a734865cef728461282cc445365a7b460c37294282e06a99

Score

7^/10

adware stealer themida

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1500 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe

pid process

852 f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe

pid	process
1500	cmd.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/852-57-0x0000000000400000-0x0000000000689000-memory.dmp	themida

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in System32 directory 4 IoCs

Processes:

f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wsock32.sys	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
File opened for modification	C:\Windows\SysWOW64\9KU8HlMcfl.ini	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
File created	C:\Windows\SysWOW64\9KU8HlMcfl.ini	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
File created	C:\Windows\SysWOW64\del32.bat	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b0000000002000000000010660000000100002000000036a17f52def111e9a1e1dc6a053468fd19c891f8b5cd3426a5c6c0e3bf158b56000000000e8000000002000020000000b4ccd877fcb18788a9414b7045974e7ab291bd059e171009978de6fad2f5474f9000000044bc068313b710bcc52f12dbaf4750ca093578c4f6c1b842bf15cf614b884f67f8e95ac79002353d4dd206c4c92abc9a06323472130c7f24c0c9f78a3466cb64203e8a418095087c8ef485090d39ef44574e6130516ee1c63edaf37b8b737ea061162af64a23924e0b7589f6cbbd8fcc00310037e58577e09dc47dc2964cb1089898367aaf5f051d730a0fa38a07add940000000c91348a60fbf82ee476ac5f5a111415e6fbe1beb56241288cea2233475e70902dec6d7d5b2f6e47b8fee0c4e5e52ab5f03c63556ebf2bbbff5a2203d19094ea3	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b000000000200000000001066000000010000200000006b23efa42aa59d92b87079aa2e40ab0476405f441813bc3f6d9130da27b9b106000000000e8000000002000020000000c2643306a625a74e7669048eac76d31ac9c44d81161005d918425ffd7beb539220000000ff7a294996bdda1ccb7262fb93253c471aa92fe947f3ce0680aa2a18c6934aa140000000d00871eb4207e4f29b6434c705390b3da19534239b31a903b214a241c12f2914b4bfb0972528d20f43a340b390c8c75fa1c2fa0016fc44ce72df939f9719c956	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "357856024"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FA210591-C667-11EC-8E3C-66DE0394A5F7} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 100d59d1745ad801	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE

Modifies registry class 42 IoCs

Processes:

f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0\win32	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\InprocServer32	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\VERSION	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4\Clsid	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\Version = "3.0"	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\ = "{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}"	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\FLAGS\ = "0"	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\InprocServer32\ThreadingModel = "Apartment"	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4\ = "N.Cs4"	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0\win32\ = "C:\\Windows\\SysWow64\\wsock32.sys"	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\ = "{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}"	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ = "_Cs4"	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\TypeLib\ = "{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}"	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\ = "N.Cs4"	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\ProgID\ = "N.Cs4"	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\HELPDIR	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ = "_Cs4"	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\Version = "3.0"	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\TypeLib	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\ProgID	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4\Clsid\ = "{E14DCE67-8FB7-4721-8149-179BAA4D792C}"	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ = "Cs4"	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\VERSION\ = "3.0"	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\ = "N"	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\FLAGS	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\HELPDIR\ = "C:\\Windows\\system32"	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\InprocServer32\ = "C:\\Windows\\SysWow64\\wsock32.sys"	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe

pid process

852 f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2016 IEXPLORE.EXE

pid	process
2016	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
852	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
2016	IEXPLORE.EXE
2016	IEXPLORE.EXE
1540	IEXPLORE.EXE
1540	IEXPLORE.EXE
1540	IEXPLORE.EXE
1540	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exeiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 852 wrote to memory of 2028	852	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe	iexplore.exe
PID 852 wrote to memory of 2028	852	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe	iexplore.exe
PID 852 wrote to memory of 2028	852	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe	iexplore.exe
PID 852 wrote to memory of 2028	852	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe	iexplore.exe
PID 2028 wrote to memory of 2016	2028	iexplore.exe	IEXPLORE.EXE
PID 2028 wrote to memory of 2016	2028	iexplore.exe	IEXPLORE.EXE
PID 2028 wrote to memory of 2016	2028	iexplore.exe	IEXPLORE.EXE
PID 2028 wrote to memory of 2016	2028	iexplore.exe	IEXPLORE.EXE
PID 2016 wrote to memory of 1540	2016	IEXPLORE.EXE	IEXPLORE.EXE
PID 2016 wrote to memory of 1540	2016	IEXPLORE.EXE	IEXPLORE.EXE
PID 2016 wrote to memory of 1540	2016	IEXPLORE.EXE	IEXPLORE.EXE
PID 2016 wrote to memory of 1540	2016	IEXPLORE.EXE	IEXPLORE.EXE
PID 852 wrote to memory of 1500	852	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe	cmd.exe
PID 852 wrote to memory of 1500	852	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe	cmd.exe
PID 852 wrote to memory of 1500	852	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe	cmd.exe
PID 852 wrote to memory of 1500	852	f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe
"C:\Users\Admin\AppData\Local\Temp\f9e8d17a5b0ed4a95a778824e93609c534db70e30fb4beeccea2907d9488bd46.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:852

C:\Program Files (x86)\internet explorer\iexplore.exe
"C:\Program Files (x86)\internet explorer\iexplore.exe" http://
2⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2016 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\del32.bat
2⤵
- Deletes itself
PID:1500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DJ7KP0JU.txt
Filesize
605B

MD5
d988e07bd6e81f92eeb6df3a1722867e

SHA1
706d3ba3e03aea8eb53fbf43bda04aab2eb578ea

SHA256
495d2fe53949ada70f085e6501d3446f1020c64542623e102d61ed072efee781

SHA512
f3ad4d03d0094e54a5d56fbacb8437dbd18405a04609fc09dbe2a88a4e6e20454eb7fc414782be7dda354b72562603aa2a1044252cfce4c6e209d9abfad785b2

Download Submit
C:\Windows\SysWOW64\del32.bat
Filesize
174B

MD5
325d18ebf3a7607a849dc90b94bb4ac5

SHA1
197974cb26fe23c10c872bda300d063e96ac7c49

SHA256
558cacdb33fe2a5bc9cd8ec01cc7bb5b3fc3adde64826dbeb6ec903fb8b9304e

SHA512
36f857efe2e41a02440b83f6dc77d4338ffe2b60a4dfd9c4ef1698bc9f843bb8ffab5106f11a7f42a61ee035ec620e4d9494d31de4d6e7eb4480d567f1c26b19

Download Submit
\Windows\SysWOW64\wsock32.sys
Filesize
159KB

MD5
e542cc1875d57544eb2382faf41573b1

SHA1
e23d5915349d5772f23180dfa2c2cac2c0b8d14e

SHA256
0a907a6bb00f24dffa890786c2b0ac06bfb09a9bd79294c1181957108ba828ac

SHA512
5c59a3532e6fe273e954a5161cc095be463377426cb4c6f948d566f833ba7558b437742fa5ee261f7dd31c611ce2bc8092df6ad04f1dc50ed4d0118c75f59468

Download Submit
memory/852-56-0x00000000002E0000-0x00000000003C8000-memory.dmp

Filesize
928KB

Download
memory/852-58-0x0000000004620000-0x0000000004623000-memory.dmp

Filesize
12KB

Download
memory/852-57-0x0000000000400000-0x0000000000689000-memory.dmp

Filesize
2.5MB

Download
memory/1500-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads